Intermission: LastPass FAQ

It’s been two weeks since my last post, when I suggested that you install LastPass and start collecting passwords from around the Internet into your account. If you did, good for you. Though I said I was going to go on in my next post, I’m actually going to take a short break to make sure that you have a chance to collect all your passwords.

If you haven’t yet, go ahead and read How to Use Better Passwords Without Losing Your Mind. Using a password manager isn’t necessarily fun, but it will save you an awful lot of grief in the long run.

What I am going to do this week is cover a few common questions and misconceptions I’ve heard.

What happens if I need a password and I’m not at my computer?
Although the convenient LastPass button is present only on computers you’ve installed it on, you can still browse to LastPass.com on any computer and log in with your username and password to copy passwords onto your clipboard if you need them.

Isn’t that a pain?
Yeah, it is. That’s why I don’t use LastPass for my email, Facebook, or Amazon accounts, since I often need to access those on other computers. Instead I have separate strong passwords for them (created with the same process that I described for coming up with a master password last week). On the odd occasion that I need to access a strange account from a public computer, it’s not such a big deal. You should probably do the same, once you’ve gotten all your passwords straightened out.

Can I use LastPass if I can’t change a password?
But I can’t / shouldn’t put that password into LastPass, because someone else needs to use it / the site has specific password requirements.
You absolutely can, and you should. You should put all of your passwords into LastPass, regardless of the situation. Simply putting your password into LastPass does not change the password or do anything to change your login or the website. It’s only when you later go through and change your passwords that, well, your passwords change. On the other hand, if you put the password into LastPass, you won’t forget it, and you’ll likely get it off an insecure medium like a sheet of paper. Besides, it just makes sense to keep all your passwords in one place.

There’s an obvious corollary to this: Remember to change your passwords once you’ve gotten them all into LastPass. If you don’t, you’re not much more secure than you were before.

So I’m more secure now that I’m using LastPass?
No, you need to change your passwords first. Using LastPass (or any password manager) is a great first step and a crucial one in securing your logins, but just having a LastPass account and saving your passwords to it does nothing to make you more secure. Saving your passwords in LastPass is the equivalent of writing down your (insecure) passwords and putting the list into a safe: nobody else can see your passwords, but they couldn’t anyway when they were in your head, and you haven’t made the passwords any more secure against guessing or automated attacks.

Once you change your passwords, you are more secure, since you now have random passwords. You could theoretically have accomplished that without LastPass, but in practice you would be unable to remember those passwords without it.

But will I have to pay for LastPass?
Unless you want to use a mobile version or certain two-factor authentication devices, no. You can get the premium version if you want (it’s only $12 a year), but most people don’t need to, and you certainly don’t have to pay just to try it out.

But I shouldn’t put my financial information in here?!
Is this actually secure?
Can’t someone read this?
Your credit card number is far more secure in LastPass than it is on your credit card. A pickpocket could easily steal your wallet while you’re walking by, and a waiter or store clerk could easily memorize or write down your information for use in the normal course of their job. Or you could simply drop your credit card on the ground and someone could pick it up. Your credit card is really a horrible method for storing your financial information.

In contrast, your LastPass database is encrypted with some of the strongest available encryption techniques. Nobody at LastPass can read your database, since it’s encrypted in the browser that you use to access it. Because of the encryption, even if someone succeeded in stealing the databases of every LastPass user from the server, they would be unable to read them. And it would take trillions of years for our present computers to break the encryption.

The only real hazard is someone sitting down at your computer and using it while you’re logged in (which is not any easier than grabbing your credit card). If you’re paranoid about this, you can check the “reprompt” box in a password’s “edit” screen. This requires LastPass to reprompt for your password before filling it in or showing the password, ensuring that even if somebody uses your computer while you’re logged in, they can’t get the really important passwords.

Obviously, this applies equally to all forms of financial and sensitive information—even though it’s being sent over the web (securely, via HTTPS and SSL, mind you), it’s still more secure than it would be in basically any other system, and certainly any system that you would ever use for storing it.

LastPass: How to Use Better Passwords Without Losing Your Mind

Last week (well, last post—I never got around to publishing for the last two weeks) I talked about why passwords are getting easier than ever to crack. If you haven’t read that article, you should read it now, because if you don’t, you’re going to give up before you get through this article.

Yes, I told you it wouldn’t be too easy. Well, it’s not exactly difficult, but it means an hour or three of work for you. But guess what: that’s a lot less trouble than you’d have to take if somebody got into one of your accounts and started screwing up your life. And given how easy it is now, it’s no longer a crazy, improbable possibility.

Besides keeping your passwords safer, LastPass can help you in other ways as well. It can fill out forms for you (of course, there are other tricks for doing this faster as well). It can keep track of what accounts you have on the Internet, which might seem unimportant but is really nice if you visit a site that you vaguely remember and can’t remember if you had an account already set up for. And guess what: you’ll never again sit at a username and password prompt and have no idea what to type in. It may be a small annoyance, but the more small annoyances you fix, the better your life will be.

Here’s how to get going and secure your life. I’m going to take you through some steps that may seem paranoid, but will greatly increase the likelihood that you remain secure not just now, but in the future. (For instance, a strong twelve-character password may be acceptable now, but in five years it may not be anymore. Therefore, I recommend a twenty-character password or better.)

If you can’t read any screenshot below clearly, you can click on it to display it full-size.

1: What Is LastPass?

LastPass is a browser extension that acts as a password manager. It adds a small LastPass button and right-click menu to your browser somewhere, as well as prompting you to autofill a password when you visit a page containing a login form:

The Firefox LastPass extension. In this screenshot, LastPass has been set to autofill the password into this site—all you have to do is click Login. The LastPass button is circled in the upper-right-hand corner.
The Chrome LastPass extension. It's very similar to the Firefox one. In this screenshot you see LastPass prompting you to fill in the login information rather than automatically filling it (this happens the first time after you enter a site and if you have multiple logins for a site).

LastPass can synchronize your data across multiple computers using the browser extension, so you can use LastPass at home, at work, and on your tablet or smartphone. You can also log onto the LastPass website if you need to access a password from a different computer (you can’t autofill, but you can copy and paste your password, which is good enough for occasional use).

However, you’re not giving your passwords up to LastPass for this convenience. All your data is encrypted on the client side, which means the browser on your local computer deals with everything. The folks at LastPass can never access your data, no matter if they’re curious, get hacked, or have a court order to retrieve your passwords. And the encryption would supposedly take trillions of years to crack with current computers—even if that’s a high estimate, nobody is getting to your passwords anytime soon. (LastPass has a nice page about their security, but I can’t seem to find it right now. If you’re still worried, try to find it, and if you do, post the URL in the comments for me.)

Unless you have an amazing memory or love sitting around memorizing strings of characters, you need a password manager to be fully secure in today’s world. If you don’t want to use LastPass for whatever reason, poke around the Internet and look for a different one (I don’t know of any other ones that can synchronize across the Internet, although you can still sync them using Dropbox or a similar service). Some popular ones include KeePass(X), RoboForm, and Password Safe. The rest of this article will focus on LastPass because I find it to be the easiest to use and most feature-rich.

2: What LastPass will not do

LastPass does not work miracles. It is a useful tool that helps you keep track of secure passwords, but simply getting a LastPass account will not magically increase your security. (This seems to be a fairly common misconception.) For it to work properly, you need to do a few other things:

  • Use a strong master password (and, preferably, two-factor authentication). If your password is “password,” all the security measures in the world will be useless.
  • Get all your passwords into LastPass’s database. If you don’t know where you have accounts on the Web, it’s going to be difficult to secure them.
  • Once you have them gathered together, change all your passwords to something more secure, ideally randomly generated.
  • Don’t do anything stupid. Don’t leave your LastPass account logged in on a public computer, write your master password on a sticky note on your monitor, or anything else. Common sense applies.

Ready to start? It’s probably best to wait until you have about forty-five minutes free to do the initial steps.

3: Choosing a Master Password

Before you create your account, you should choose a master password. If you’ve never made a strong password before, this is probably going to cause a few hangups for you. Your master password should be at least twenty characters long. Twenty-five or more is better.

There are a lot of different ways to get a good password. The one I typically use is to pick two or three phrases or words (randomly, using whatever inspiration you want) and string them together, often with some sort of numbers and/or punctuation in the middle. If you do this, it doesn’t matter if one part of the password is fairly guessable by itself—the strength is provided by the fact that two completely random things have been joined.

Here’s one of mine as an example (I don’t use it anymore, of course):

1-stuffed-gnu:no-evil-wo-vim

The second part of this password comes from the phrase “You can’t spell evil without vi.” If you don’t know anything about Unix/Linux, you probably don’t get it—which is all the better, because it demonstrates that most people probably wouldn’t even guess the original phrase, without my modification and the first part. The first part is a reference to the fact that gnus are related to *nix and can be remembered by thinking “the gnu is saying the following phrase.”

I could make this password even more secure without too much loss in memorability by capitalizing a random letter or two: 1-stuffed-gnU:no-evIL-wo-vim, or, slightly less secure in terms of guessing but useful if I needed a bit more help to remember, 1-stuffed-gnu:no-eVIl-wo-VIm. I could also add another number somewhere: 1-stuffed-gnu25:no-evil-wo-vim. (The 25 translates to “nose” in my modified version of the Major System, so I could remember this as “stuffed gnu nose.”)

If you don’t like my technique, another good one is using the initials of a phrase. Don’t pick a common phrase or a phrase from well-known literature (if you pick a Bible verse, for example, it is quite easy for a dictionary cracker to try every single verse in the Bible in just a few minutes). You should combine this with something else if you want a 20-character length. Names and birth dates work well when used in combination with something else. (Using only a name with a number after it is a recipe for disaster: cracker programs are available that can hack all common name+number combinations in only a couple of minutes.) You can hunt around the Internet for other good techniques; just be sure to take the sources with a grain of salt (if somebody on Yahoo Answers tells you that a six-character password of your initials repeated twice is a good password, they’re wrong).

“But I won’t remember this password!”

You can really remember pretty much any password of reasonable length, no matter how insane it is. The only thing you have to do is use it. If you enter your password enough, you’re unlikely to forget it, and if you do it even more and you’re a touch-typist, it’s likely the password will even be engraved into your unconscious memory—you can type it without thinking about the words. When I create a new master password for any encryption or password software, I type it ten times right afterwards, ten times later that day, and ten times the next day. As long as I use it regularly after that, I’ve never had trouble remembering my password.

You also get a password hint to help you out; see two paragraphs down.

If you really feel you need to, write down your master password and put it in a safe place. (If you usually keep your wallet with you, it’s probably pretty good—if you lose it, you should notice and have a chance to change your password.) After a few days, once you’re sure you know your password, it’s best to destroy it or put it somewhere really inaccessible, like a safe deposit box.

That said, keep in mind that there is no way to recover your LastPass master password if you forget it (remember that LastPass can never see your data?). This is of course the sensible way to handle information this secure, but most of us are so used to clicking the “Forgot your password?” link that we take it for granted that we can recover passwords anytime we forget them. However, while you can’t reset your password if you forget it, you can provide a password hint that will be emailed to you if you click the “forgot password” link. Since nobody but you will ever see this unless your email account is hacked, you can safely describe the parts of the password (for my example+numbers password, I could say something like “speaker’s nose: evil vim”). Chances are very good that that will be plenty to jog your memory.

At the end I’ll also talk about backing up your password list, so that even if you do forget your master password you won’t be totally screwed.

4: Signing Up

Phew, we’re 1500 words into this article and we haven’t even created an account yet? Don’t panic; in my experience the master password is usually the biggest mental hurdle for new users to overcome.

You can sign up for a LastPass account in several ways, but if you use this referral link both you and I get a free month of LastPass Premium.

Scroll down to “create your account” and fill in your email address, your shiny new master password, and a password hint, as described in the previous section.

You can uncheck “Keep a history of my logins and form fills” and/or “Send anonymous error reporting data…” if you’re really paranoid, but otherwise they should be fine. You do have to check the first two boxes, though. If you picked a good master password, the bar will probably be full.

In case you didn't get the warning that there's no way to recover your password yet, here you are. Take heed of the warning but don't do anything stupid because of it, like writing your password on a sticky note and putting it in your desk drawer.

Click the Download LastPass button and proceed through setup. This step will be different for each operating system and browser, so I won’t walk you through it (it’s not difficult). At some point during the process, you will be prompted to import all “insecure” passwords that are currently stored in your browser’s memory. You should accept this offer and the one to have them deleted from the old storage, as they’ll be safely retained in your new LastPass Vault. You may be shocked to discover how easily LastPass can tell you exactly what all those passwords are—that’s why it’s not a very good idea to store your passwords there!

You may need to restart your browser(s) to install the LastPass extension(s). (If you have multiple browsers, the extension should have been installed in all of them.) After you see the LastPass button (an asterisk with a black background, or a red background if you’re logged in) in your browser, you can click it to log in. There are two screenshots way up at the top if you’re confused.

5: Getting Your Passwords Into LastPass

Adding a new password to LastPass is easy:

Step 1: Go to the site you wish to add and sign in as normal.
Step 2: LastPass will display a bar at the top of the screen (the color depends on your browser and theme settings) asking you if you want it to remember this password. Click Save Site.
Step 3: Name the site and select a group. If you don't care much for organization and don't have too many passwords, you may choose not to group your passwords and just use the URL of the site. I, on the other hand, have nearly 100 entries in my LastPass database (not all of them are websites), so I organize things carefully into groups and give them friendlier names.

The only difficult or annoying part of this process is that you have to repeat it for all the accounts you have on the Internet. The easiest way is to take about a two-week-long break at this point. Every time you want to sign into a website, make sure you’re logged into LastPass (the icon will be red), then log in and make sure to click the “Save Site” button. For now, you’re done—go ahead and put continuing this on your calendar for a couple of weeks from now. Just don’t forget to keep adding those passwords (and don’t forget to come back or you won’t be any more secure than you were before).

If you want to speed the process up, there are a couple tricks. Obviously, if you currently have a pad of paper or a Word document containing a long list of passwords (shame on you), that’s a pretty good place to start. Another trick is to search your email for terms like “account” or “password reset” to remind yourself of what websites you have accounts with (since most websites send service messages to your email, as long as you archive your email this should work fairly well). It’ll probably be months before you have every website in your database, but as soon as you have a fair number of the ones you use frequently, you can proceed on to the next step.

6: Changing Your Passwords

Did you take a good break to find some of your accounts? Good. If you haven’t done it yet, it wouldn’t hurt to try some of the tricks in the paragraph immediately above, like searching through your email or password files. (If you haven’t added one to your database yet, just go to it and log in.)

Although you now have a nice, neat, comprehensive list of all (most of) your accounts and passwords, you’re not any more secure than you were when you started, even though you have a nice fancy password manager. In order to increase your security, you need to change the passwords.

Changing a password can be a bit of a challenge at times; it’s not always the most accessible option. (On one memorable occasion, I had to resort to an eHow article to figure out how to change my Comcast email password.) Fortunately, LastPass has a handy feature to help you out: the security check. The security check runs through your passwords and gives you a report of which passwords are duplicates and which have low strength. To use it, simply open your vault (LastPass button → LastPass Vault) and click the “security check” link on the left-hand side, then click the huge “Start the Challenge” button.

You’ll get a big score (90.1% in my case), a rank, and a short list of the criteria that it used to determine your score. That’s good for seeing how generally secure you are, but the real meat is underneath, where there’s an exhaustive listing of all your LastPass accounts, their strength, which have duplicate passwords, and (if you enable it) the exact plaintext password of each. Here’s a small snippet of mine (usernames blurred for security):

Sometimes you get a terrible rating on an account with a password that you can't change (for instance, on the top one, the username is the real password, as it's a string of random numbers, while the password is the first two letters of my last name). But most of the time, a low score indicates that you have a poor or duplicated password.

When you see that you have a poor rating on a site, you should click the “visit site” link, log in, and find the “change password” option. I’ll change my Amazon password because it’s currently a duplicate (though a strong password).

When changing a password, LastPass helpfully offers to fill both your current password and a new password.

After reaching the password change page, click “fill current” to enter your current password. Then click “Generate” to bring up the “Generate Secure Password” dialog box. A random password is about as secure as you can get: there’s no way to guess it aside from brute force. You probably can’t remember it, but that’s what your password manager is for—you only need to remember that one master password.

However, LastPass’s default settings really don’t produce a secure password. Here are my standard settings:

Here are good standard options. Your password length should be 20 or 25 (or more, if you want)—as there’s very rarely any need to type it, there’s little advantage in making it shorter. “Avoid Ambiguous Characters” is useful if you expect you’ll need to type it or copy it—it excludes characters like l, 1, I, and i, so that you won’t make errors because you couldn’t read the password.

Sometimes, though, you’ll encounter a website that imposes silly restrictions, like “the password must be exactly 7, 12, or 62 characters in length” or “the password must consist of exactly two numbers, two special characters, one composed of only straight lines and the other only curves, and thirteen consonants, alternately lowercase and capitalized.” (Okay, they’re not usually quite so bad, but sometimes they feel like it. Once I was trying to change my Yahoo password and was informed that my password could not contain any part of my first name. All well and good, but many moons ago I’d entered my first name as “S,” so my new password was not permitted to contain the letter s.) In this case, simply come back to this dialog box and fiddle with the options until they produce a password that meets the guidelines.

Once you’re done, click “generate” (the password doesn’t update to match your settings until you do), then “accept.” LastPass will fill in your new password. Click the accept or continue button on the website.

This final step is extremely important. After clicking accept, you will receive a notification bar that says “LastPass detected a password change….” Click “Confirm.” If you don’t, LastPass will continue attempting to log in with the old password and you’ll be unable to access the site. (The generated password is always saved as “generated password for x.com” until or unless you click save, so you’ll never completely lose your password and be locked out due to this. Keep that in mind in case it happens to you.)

Conclusion

If you follow these instructions, your passwords should be secure for the most part. It’s a lot of work, but the next time one of your passwords is compromised, you’ll be pretty happy. (I haven’t had a website lose my password information yet, but I have accidentally pasted my password into a live chatroom, twice. It’s a pain when you only use a couple of passwords and have to change them all in an afternoon.)

Next week I’ll talk about increasing the security on your LastPass account itself, as well as some more things you can do with LastPass (filling forms and storing software license keys). Additionally, I’ll discuss how to back up the contents of your LastPass account.

After the LastPass stuff is done, I’ll continue with security and talk about what you should do if one of your accounts is hacked. I’ll also deal with how you can protect yourself from other attack vectors that may allow people to bypass your passwords entirely.

Comments, questions, and problems are welcome.